The content about VPNs in the whonix docs are correct but can be misleading for many average users because I think it is complicated for the average user to learn from effectively. I think so not only from my own experience reading the docs but also because when reading privacy discussions in various parts of the internet, there is a lot of confusion everywhere about VPNs and Tor.
It is important to make the docs easy to read and learn from because anonymity likes company. If you make it difficult then the anonymity will be worse because it doesn’t have as much company.
I think the most important page to do a rewrite on is the introduction to tunnelsCombining Tunnels with Tor . It warns users to not use VPNs or tor through vpn because of many different reasons including port shadow attacks and share infrastructure of the servers. But these are problems that the reputable VPN providers have solved. They are not vulnerable to port shadow attacks and they own their infrastructure. But the docs don’t write about that. It comes off as biased to create FUD about VPNs by mentioning threats that modern reputable VPNs have solved. And the best of all VPNs is Mullvad, who solves everything because they require minimal personal info to create an account with them. Payment in monero, no email, the only thing they will get is your IP when you sign in to your account. And it uses a new technology called DAITA which prevents advanced internet traffic analysis. All problems with VPNs that are written about in whonix docs are solved with Mullvad.
I think it’s great to write about problems that amateur VPN providers can have but all that content takes too much focus and is difficult to read through. The introduction to tunnels should be a more useful introduction, simple to read through.
I think it’s an unfair bias with scaring people off from using VPNs in combination with tor. The docs doesn’t do the same thing focusing on the weakness of tor, which is when an adversary has access to many entry and exit nodes, they can see our IP and destination. And this is a very big problem. It was recently in news about FBI taking down someone who was running some exit nodes which captured something around 40% of all tor traffic. It’s very easy for state actors to see de-anonymise tor users and see which websites we are reading. But state actors are not able to do that against Mullvad users because DAITA and no logs. I’m not saying Mullvad is better than tor, but that the docs are unfair when talking about the problems and comparing them. And I think the content should be more favorable when discussing tor through vpn or vpn through tor and not putting almost all focus on vulnerabilities which the reputable VPN providers don’t have.
It’s important to make the average user able to learn effectively from the docs. The discussions that the wiki links to which argues that it’s disadvantageous to use vpn in combination with tor are old discussions which don’t take into account most/all of those vulnerabilities are solved by VPNs. So I think that whole wiki page needs a big do over. Those vulnerabilities needs to be at the bottom of the page and it clearly has to be written in some way that reputable modern VPN providers don’t have those vulnerabilities, it would be good to mention a few of them even, especially Mullvad deserves to be mentioned.
I can help with writing this new page but first I wanted to make this post to see explain why it’s a good idea. And maybe we can work together in writing it. Let me know what you think.
Personally, I think it’s dangerous to talk about “reputable” VPN providers, for three main reasons:
For one, unless a VPN provider allows random people to walk into their datacenter, snoop around with full read access to all their machines, listen to their network connections, analyze the software binaries running on their machines, and search through various other data the provider is storing, it’s not possible for someone to trust that the VPN provider actually does what they say they do (no logs, proper use of cryptographic and other technologies, etc.). Anyone can make all the claims they want in the world, but that doesn’t make them necessarily true.
For two, inevitably people’s ideas of what does and doesn’t make a VPN trustworthy is going to differ. Some of us might think that collecting IP logs and requiring the user to present their legal ID to sign up isn’t really that much of a risk. Others might think that handling any networking connections outside of a confidential computing VM running on a RISC-V machine locked inside a fort with armed robots guarding it 24/7 is a mortal sin that renders the provider completely unsafe. We don’t particularly want to become part of an argument about who the best VPN providers are (especially when we have nowhere near enough resources to go and audit them to find out, and most of them probably wouldn’t allow us to audit them anyway).
For three, even the perfect VPN provider is still a centralized entity. The law enforcement agencies of the country the provider resides in can force the provider to act in a malicious manner against any or all of their users, even if they were previously audited and known to be safe. Warrant canaries kind of help here if dealing with a trustworthy provider, but law enforcement could even force a provider to produce a false warrant canary (the Qubes OS project explicitly warns about his risk in their warrent canaries).
The nice thing about Tor is that we don’t have to trust any of the network to be safe. Even if every single relay on the network is malicious, the network itself is still safe so long as those malicious nodes aren’t in collaboration. The potential vulnerabilities Tor suffers from with collaborating malicious nodes are well-understood, and it is in the power of any community member with enough resources to set up a relay of their own and help make the network more trustworthy by virtue of being less centralized. With a VPN, the usefulness of the VPN depends entirely on the trustworthiness of the entity providing it, which is not guaranteed to remain constant.
With this context, I don’t think it’s really FUD to mention threats that modern reputable VPNs have solved, since there is no way to objectively distinguish “modern reputable VPNs” from malicious or careless VPNs. If a user has personal reasons to trust a VPN provider, they are free to set up their systems to use that VPN provider, but the decision to trust a provider is the user’s responsibility. To my awareness, we don’t particularly want to influence a user’s decision to trust or distrust a VPN provider with claims that cannot be independently verified.
There seems to be several solutions against port shadow attacks but the most common seems to be to have the IP address you connect to is different than the IP your packets leave from, so there isn’t a collision of ports and IPs. Because port shadow attacks are only possible under certain conditions: The attacker knows the target’s public IP address; the attacker knows the VPN server IP; and, the VPN server’s entry and exit IP addresses are the same.
I also don’t think it’s best to turn the page into recommending vpn providers to use but I thought it could be good to make an exception for Mullvad which really has gone far above and beyond all other VPNs and doing everything as good as it can be done for customers privacy, and leading the way in features such as DAITA. I can’t think of anything which Mullvad could do better than they already have.
what arraybolt3 says is true, at the end of the day, there is still trust involved with VPNs which are centralized. One of the points I made in my previous post is that the comparison between tor and VPNs isn’t fair. It’s just full blast of warnings against VPNs and linking to old discussions, not a single good word about VPNs. But the big problem of tor nodes collaborating maliciously is barely mentioned and the problem it causes is often down played a lot. The truth is it’s a huge problem with tor. Nodes are more centralized than we are being lead to believe. It’s not only about the amount of nodes but also about how fast and properly maintained those servers are. Very few people buy a cutting edge server to run a tor node from home and getting their home IP blocked by half the internet and potential legal problems.
Personally I assume that most if not all of my tor traffic is being logged and they have both the source IP and destination IP in the logs.
If I use Mullvad and assume they are corrupt, they they know my source IP and destination IP. So it’s the same problem. But if Mullvad is not corrupt, then it’s almost perfect. And they have written about the laws in sweden where they have the HQ and what they have to log if they get a warrant. tor also doesn’t have solution against advanced traffic analysis but mullvad solves that.
Not saying that one if better than the other but if you look at this without bias then the problems and benefits are quite balanced. So that’s what I think is important to fix about the introduction page in the wiki. Remove any bias, put equal amount of attention and explain problems with both tor and vpns and in VPNs case, that most of the major VPN brands have solved those vulnerabilities, and then where it gets interesting is talk about how they can be used together with tor through vpn or vpn through tor because you don’t have to choose between only VPN or only tor.
There is also one more thing which could be worth writing in the introduction page because I think it’s another part of the reason there is a lot of confusion about VPNs and tor. The more popular privacy communities are to put in kind words, biased against advanced/modern privacy. They often ban users who recommend using tor or doing other things like going out and leaving the phone at home. They seem to want people to think it’s enough to just use a VPN and a browser like firefox or brave and that’s all that is necessary to have protected your privacy, end of discussion or ban. This was the kind way of telling what is happening on the more popular privacy communities. We can probably write that problem in a better way with the purpose of bringing it to awareness because it’s harder to be manipulated when you know about it already. It’s not important to include this in the introduction but I think it would be nice to do that in a smooth way.
Not all public VPN providers are susceptible to port shadow, including three of the more popular ones: NordVPN, ExpressVPN, and Surfshark, all of which block port shadow…
This is a good one because they have got interviews with the VPN providers to get first hand explanations how they solved it. It also quotes the original research in some parts. For example:
In response, ExpressVPN said: “Our VPN servers use different entry and exit IP addresses, preventing the key conditions necessary for the attack described in the report.”
It’s ok if we decide to not make any exceptions but I still think exception can be good to make if there is a good argument for doing it. And Mullvad who solves all VPN problems as much as possible and even has DAITA which completely changes everything when it comes to VPNs. It really puts Mullvad is a special category because DAITA is so great. I wish tor had daita. But the great thing is that if you use mullvad through tor then you can kind of have DAITA with tor. No other vpn or tunnel has this technology.
But the most important part imo is that the wiki page writes the problems of tor and vpns in an unbiased and up to date, fair way. It seems a bit strange why the huge problem of tor exit and entry nodes collaborating to track our browsing history, is barely mentioned most of the times and usually it’s at the same time talked down about that it’s not much of a problem when it really is a huge problem. That problem deserved to have equal amount of big warning signs as VPN vulnerabilities do.